Homomorphic data encryption method and apparatus for implementing privacy protection

ABSTRACT

A computer-implemented method, non-transitory, computer-readable medium, and computer-implemented system are provided for implementing privacy protection. In an implementation, a public key pk={N, h} corresponding to a target user is obtained, where h is a generator of a predetermined cyclic group with a size of k in a random number space Z* N , a length of k is i bits, a length of N is n bits, and i&lt;&lt;n. A random number r is selected, so that h r  belongs to the predetermined cyclic group. To-be-encrypted data m, corresponding to the target user using the public key pk and the random number r, is processed to generate a homomorphic ciphertext c=(1+N) m ·(h N  mod N 2 ) r  mod N 2 . The homomorphic ciphertext c is provided to the target user, where the homomorphic ciphertext c can be decrypted using a private key sk to obtain the data m.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of PCT Application No.PCT/CN2020/071839, filed on Jan. 13, 2020, which claims priority toChinese Patent Application No. 201910528750.9, filed on Jun. 18, 2019,and each application is hereby incorporated by reference in itsentirety.

TECHNICAL FIELD

One or more implementations of the present specification relate to thefield of encryption/decryption technologies, and in particular, to ahomomorphic data encryption/decryption method and apparatus forimplementing privacy protection.

BACKGROUND

In many scenarios, users require privacy protection for data content.For example, a blockchain technology (which is also referred to as adistributed ledger technology) is a decentralized distributed databasetechnology, features decentralization, transparency, tamper-resistance,trustworthiness, etc., and is applicable to many application scenariosthat require high data reliability. However, data such as transactionamounts of blockchain transactions can be exposed because fulltransaction data can be publicly queried. For another example, in amulti-party computation scenario, assume that user A holds data to beprocessed, and user B holds a data processing model. When the data to beprocessed is processed by using the data processing model, a value ofthe data to be processed can be exposed if user A sends the data to beprocessed to user B, and model parameters of the data processing modelcan be exposed if user B provides the data processing model to user Afor use.

SUMMARY

In view of this, one or more implementations of the presentspecification provide a homomorphic data encryption/decryption methodand apparatus for implementing privacy protection.

To achieve the previous objective, the one or more implementations ofthe present specification provide the following technical solutions:

According to a first aspect of the one or more implementations of thepresent specification, a homomorphic data encryption method forimplementing privacy protection is provided, and includes the following:obtaining public key pk={N, h} corresponding to a target user, where his a generator of a predetermined cyclic group with a size of k inrandom number space Z*_(N), a length of k is i bits, a length of N is nbits, and i<<n; selecting random number r, so that h^(r) belongs to thepredetermined cyclic group; processing to-be-encrypted data mcorresponding to the target user by using public key pk and randomnumber r, to generate homomorphic ciphertext c=(1+N)^(m)·(h^(r) modN)^(N)=(1+N)^(m)(h^(N) mod N²)^(r) mod N²; and providing homomorphicciphertext c to the target user, where homomorphic ciphertext c can bedecrypted by the target user by using private key sk to obtain data m, avalue of private key sk is α=a·k, and a is a predetermined non-zerovalue.

According to a second aspect of the one or more implementations of thepresent specification, a homomorphic data decryption method forimplementing privacy protection is provided, and includes the following:obtaining homomorphic ciphertext c=(1+N)^(m)·(h^(r) modN)^(N)=(1+N)^(m)·(h^(N) mod N²)^(r) mod N², where homomorphic ciphertextc is obtained after data m is processed by using public key pk={N, h}corresponding to a target user and random number r, h is a generator ofa predetermined cyclic group with a size of k in random number spaceZ*_(N), h^(r) belongs to the predetermined cyclic group, a length of kis i bits, a length of N is n bits, and i<<n; and decrypting homomorphicciphertext c based on private key sk of the target user, to obtain data

$m = {{\frac{{c^{k}{mod}\; N^{2}} - 1}{N} \cdot k^{- 1}}{mod}\; N}$

before encryption, where a value of private key sk is α=a·k, and a is apredetermined non-zero value.

According to a third aspect of the one or more implementations of thepresent specification, a homomorphic data encryption apparatus forimplementing privacy protection is provided, and includes the following:a public key acquisition unit, configured to obtain public key pk={N, h}corresponding to a target user, where his a generator of a predeterminedcyclic group with a size of k in random number space Z*_(N), a length ofk is i bits, a length of N is n bits, and i<<n; a random numberselection unit, configured to select random number r, so that h^(r)belongs to the predetermined cyclic group; a data processing unit,configured to process to-be-encrypted data m corresponding to the targetuser by using public key pk and random number r, to generate homomorphicciphertext c=(1+N)^(m)·(h^(r) mod N)^(N)=(1+N)^(m)·(h^(N) mod N²)^(r)mod N²; and a ciphertext providing unit, configured to providehomomorphic ciphertext c to the target user, where homomorphicciphertext c can be decrypted by the target user by using private key skto obtain data m, a value of private key sk is α=a·k, and a is apredetermined non-zero value.

According to a fourth aspect of the one or more implementations of thepresent specification, a homomorphic data decryption apparatus forimplementing privacy protection is provided, and includes the following:a ciphertext acquisition unit, configured to obtain homomorphicciphertext c=(1+N)^(m)·(h^(r) mod N)^(N)=(1+N)^(m)·(h^(N) mod N²)^(r)mod N² where homomorphic ciphertext c is obtained after data m isprocessed by using public key pk={N, h} corresponding to a target userand random number r, h is a generator of a predetermined cyclic groupwith a size of k in random number space Z*_(N), h^(r) belongs to thepredetermined cyclic group, a length of k is i bits, a length of N is nbits, and i<<n; a ciphertext decryption unit, configured to decrypthomomorphic ciphertext c based on private key sk of the target user, toobtain data

$m = {{\frac{{c^{k}{mod}\; N^{2}} - 1}{N} \cdot k^{- 1}}{mod}\; N}$

before encryption, where a value of private key sk is α=a·k, and a is apredetermined non-zero value; and a data output unit, configured tooutput decrypted data m to the target user.

According to a fifth aspect of the one or more implementations of thepresent specification, an electronic device is provided, and includesthe following: a processor; and a memory, configured to store aprocessor executable instruction, where the processor executes theexecutable instruction to implement the method according to the firstaspect.

According to a sixth aspect of the one or more implementations of thepresent specification, a computer readable storage medium is provided,where the computer readable storage medium stores a computerinstruction, and the instruction is executed by a processor to implementthe steps of the method according to the first aspect.

According to a seventh aspect of the one or more implementations of thepresent specification, an electronic device is provided, and includesthe following: a processor; and a memory, configured to store aprocessor executable instruction, where the processor executes theexecutable instruction to implement the method according to the secondaspect.

According to an eighth aspect of the one or more implementations of thepresent specification, a computer readable storage medium is provided,where the computer readable storage medium stores a computerinstruction, and the instruction is executed by a processor to implementthe steps of the method according to the second aspect.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a flowchart illustrating a homomorphic data encryption methodfor implementing privacy protection, according to an exampleimplementation;

FIG. 2 is a flowchart illustrating a homomorphic data decryption methodfor implementing privacy protection, according to an exampleimplementation;

FIG. 3 is a schematic diagram illustrating random number space Z*_(N),according to an example implementation;

FIG. 4 is a schematic diagram illustrating implementing a confidentialtransaction in a blockchain network, according to an exampleimplementation;

FIG. 5 is a schematic interaction diagram illustrating a multi-partycomputation scenario, according to an example implementation;

FIG. 6 is a schematic structural diagram of a device, according to anexample implementation;

FIG. 7 is a block diagram illustrating a homomorphic data encryptionapparatus for implementing privacy protection, according to an exampleimplementation;

FIG. 8 is another schematic structural diagram of a device, according toan example implementation; and

FIG. 9 is a block diagram illustrating a homomorphic data decryptionapparatus for implementing privacy protection, according to an exampleimplementation.

DESCRIPTION OF IMPLEMENTATIONS

Example implementations are described in detail here, and examples ofthe example implementations are presented in the accompanying drawings.When the following description relates to the accompanying drawings,unless specified otherwise, same numbers in different accompanyingdrawings represent the same or similar elements. Implementationsdescribed in the following example implementations do not represent allimplementations consistent with the one or more implementations of thepresent specification. On the contrary, the implementations are onlyexamples of apparatuses and methods that are described in the appendedclaims in detail and consistent with some aspects of the one or moreimplementations of the present specification.

It is worthwhile to note that in other implementations, steps of acorresponding method are not necessarily performed in a sequence shownand described in the present specification. In some otherimplementations, the method can include more or fewer steps than thosedescribed in the present specification. In addition, a single stepdescribed in the present specification can be divided into a pluralityof steps for description in other implementations, and a plurality ofsteps described in the present specification can be combined into asingle step for description in other implementations.

In a homomorphic encryption technology, raw data can be encrypted intocorresponding homomorphic ciphertext, and the homomorphic ciphertext canbe directly used for calculation without being decrypted into the rawdata. For example, when the calculation is an addition/subtractionoperation, it indicates that the corresponding homomorphic encryptiontechnology satisfies additive homomorphism; when the calculation is amultiplication/division operation, it indicates that the correspondinghomomorphic encryption technology satisfies multiplicative homomorphism;or when the calculation includes both an addition/subtraction operationand a multiplication/division operation, it indicates that thecorresponding homomorphic encryption technology satisfies fullhomomorphism. Additive homomorphism can be implemented by usinghomomorphic data encryption/decryption solutions implemented in thepresent specification.

Before implementing homomorphic encryption/decryption, a user needs toobtain a public and private key pair uniquely corresponding to the user.In other words, each user maintains one public and private key pair, anddifferent users correspond to different public and private key pairs.For example, when holding public key pk_0 and private key sk_0, acertain user can encrypt plaintext data m_0 by using public key pk_0, toobtain corresponding homomorphic ciphertext c_0. In this case,homomorphic ciphertext c_0 can be decrypted into plaintext data m_0 onlyby using private key sk_0, and homomorphic ciphertext c_0 cannot benormally decrypted by using private key sk_1 held by another user orother data.

In addition, assume that the user encrypts plaintext data m_1 by usingpublic key pk_0, to obtain corresponding homomorphic ciphertext c_1, andencrypts plaintext data m_2 by using public key pk_0, to obtaincorresponding homomorphic ciphertext c_2. In this case, homomorphicciphertext c_0, c_1, and c_2 can satisfy additive homomorphism. Forexample, the following calculation can be performed on homomorphicciphertext c_0, c_1, and c_2: c_3=c_0+c_1−c_2. In this case, the usercan decrypt c_3 by using private key sk_0, to obtain correspondingplaintext data m_3, and can determine that m_3=m_0+m_1−m_2 based on theprevious additive homomorphism feature. Certainly, an operation rule ofhomomorphic ciphertext is not necessarily the same as an operation ruleof plaintext data. For example, when addition of the plaintext data cancorrespond to multiplication of the homomorphic ciphertext, andsubtraction of the plaintext data can correspond to division of thehomomorphic ciphertext, the following calculation can be performed onhomomorphic ciphertext c_0, c_1, and c_2: c_3=c_0×c_1÷c_2. In this case,corresponding plaintext data is m_3=m_0+m_1−m_2.

The homomorphic data encryption/decryption solutions for implementingprivacy protection in the present specification are described below withreference to implementations.

FIG. 1 is a flowchart illustrating a homomorphic data encryption methodfor implementing privacy protection, according to an exampleimplementation. As shown in FIG. 1, the method is applied to a computingdevice, and can include the following steps.

Step 102: Obtain public key pk={N, h} corresponding to a target user,where h is a generator of a predetermined cyclic group with a size of kin random number space Z*_(N), a length of k is i bits, a length of N isn bits, and i<<n.

The computing device can belong to the target user. To be specific, thetarget user can perform homomorphic encryption on data m by using publickey pk corresponding to the target user, to perform privacy protectionfor a value of data m, or perform another operation. Alternatively, thecomputing device can belong to a user other than the target user, andpublic key pk of the target user can be disclosed to the user, so thatthe user can perform homomorphic encryption on data m based on publickey pk, and can even further perform another operation that satisfiesadditive homomorphism on homomorphic ciphertext c obtained throughencryption, and only the target user can decrypt homomorphic ciphertextc or an operation result of homomorphic ciphertext c by using privatekey sk.

N is a predetermined number. For example, length n of N can be 2048 bitsor another length. Implementations are not limited in the presentspecification. Then, random number space Z*_(N) can be determined basedon number N. In random number space Z*_(N), a predetermined cyclic groupcan be determined. The predetermined cyclic group has generator h, sothat all elements in the predetermined cyclic group can be generated bygenerator h. For example, the elements in the predetermined cyclic groupcan be represented as h⁰, h¹, h² . . . . When the size of thepredetermined cyclic group is k, the elements in the predeterminedcyclic group can be represented as h⁰, . . . , and h^(k−1), and allother power of generator h can be cyclically represented as h⁰, . . . ,and h^(k−1), for example, h^(k)=h⁰, h^(k+1)=h¹, and h^(2k−1)=h^(k−1).

Step 104: Select random number r, so that h^(r) belongs to thepredetermined cyclic group.

Random number r is randomly selected, but it needs to ensure that h^(r)belongs to the predetermined cyclic group. Therefore, random number rcannot be selected in a fully random way. Actually, when the size of thepredetermined cyclic group is k, r∈[0, k−1] should be ensured.

In addition, when the length of k is i bits, it can be ensured that alength of random number r is also i bits. Compared with length n of N,i<<n, and therefore random number r is a number far less than N, forexample, if there is a difference in terms of a predetermined order ofmagnitude between the values of r and N. For example, when n=2048, i=320can be selected. In this case, the value of random number r is far lessthan the value of N.

Step 106: Process to-be-encrypted data m corresponding to the targetuser by using public key pk and random number r, to generate homomorphicciphertext c=(1+N)^(m)·(h^(r) mod N)^(N)=(1+N)^(m)·(h^(N) mod N²)^(r)mod N².

The calculation equation of homomorphic ciphertext c includes two parts:(1+N)^(m) used to include plaintext data m and (h^(r) mod N)^(N) or(h^(N) mod N²)^(r) used to increase ciphertext randomness. For (h^(N)mod N²)^(r) description is provided as above: A predetermined cyclicgroup is selected from random number space Z*_(N), and size k of thepredetermined cyclic group has shorter length i, so that random number ralso has a shorter length. Therefore, compared with a selected randomnumber with a length of n or the same order of magnitude, random numberr with a shorter length can ensure a smaller calculation amount of(h^(N) mod N²)^(r) and therefore encryption efficiency can besignificantly improved when same data m is encrypted. In particular, ina scenario in which an encryption operation is performed on a largeamount of data, for example, in a blockchain network, processingefficiency of a confidential transaction can be significantly improved.For another example, in a multi-party computation scenario, acalculation speed can be significantly increased.

Random number r with a very small value can be prevented from beingselected by limiting the minimum value of length i, to preventinsufficient randomness of homomorphic ciphertext c from affectingsecurity of homomorphic ciphertext c. For example, when n=2048, it isset that i≥224, in other words, the length of random number r is notless than 224 bits, and therefore sufficient randomness and security ofhomomorphic ciphertext c can be ensured, for example, at least 112-bitor higher security can be provided (homomorphic ciphertext c cannot bedecrypted in 2¹¹² steps).

When (h^(N) mod N²)^(r) in the equation is calculated, modularexponentiation can be directly performed each time based on theequation, but a relatively long calculation time may be needed due to arelatively large calculation amount. Actually, after (h^(r) mod N)^(N)is converted into (h^(N) mod N²)^(r) in the equation, it can be foundthat (h^(N) mod N²)^(r) represents fixed base modular exponentiationwith an exponent of i bits, in other words, a base of (h^(N) mod N²)^(r)is fixed to h^(N) mod N². Therefore, a value of h^(N) mod N² can bepre-calculated based on h in public key pk, and no temporary calculationis needed.

Further, the length of random number r is fixed to i bits, and thereforeeach random number r can be represented as an i-bit binary string. On abasis of j bits, the i-bit binary string can be divided into i/jnumerical segments r_0, r_1, . . . , and r_[(i/j)−1], which can beuniformly represented as r_u, where u∈[0, (i/j)−1]. Assume that thesenumerical segments can be sequentially arranged as r_0, r_1, . . . , andr [(i/j)−1] in an ascending order. In this case, each random number rcan be represented as Σr_u·2^(ju)=r_0+r_1·2^(j)+ . . .+r_[(i/j)−1]·2^(j[(i/j)−1]), and a value of any numerical segment r_ubelongs to [0, 2^(j)−1]. Therefore, (h^(N) mod N²)^(r) can be dividedinto (h^(N) mod N²)^(r_0)·(h^(N) mod N²)^(r_1·2) ^(j) · . . . ·(h^(N)mod N²)^(r_[(i/j)−1]·2) ^(j[(i/j)−1]) , and can be further convertedinto (h^(N) mod N²)^(r_0)·[(h^(N) mod N²)^(2j)]^(r_1)· . . . ·[(h^(N)mod N²)² ^(j[(i/j)−1]) ]^(r_[(i/j)−1]). For example, j=8 or anothervalue can be selected.

Then, values of h^(N) mod N², (h^(N) mod N²)² ^(j) , . . . , and (h^(N)mod N²)² ^(j[(i/j)−1]) can be pre-calculated, and then after actuallyselected random number r is divided, further calculation is performedwith reference to the pre-calculated values. Alternatively, the value ofeach of numerical segments r_0, r_1, . . . , and r [(i/j)−1] obtainedafter random number r is divided belongs to [0, 2^(j)−1], and thereforevalues of (h^(N) mod N²)⁰ to (h^(N) mod N²)² ^(j) ⁻¹, [(h^(N) mod N²)²^(j) ]⁰ to [(h^(N) mod N²)² ^(j) ]² ^(j) ⁻¹, . . . , and [(h^(N) modN²)² ^(j[(i/j)−1]) ]⁰ to [(h^(N) mod N²)² ^(j[(i/j)−1]) ]² ^(j) ⁻¹ canbe pre-calculated. In this case, after actually selected random number ris divided, for example, when i/j numerical segments r_(u) are obtainedthrough division and u∈[0, (i/j)−1], corresponding pre-calculated valuescan be selected based on values of the numerical segments, and thenwithout involving modular exponentiation, these values are multiplied tocalculate (h^(N) mod N²)^(r) or to further process (h^(N) mod N²)^(r)into [(h^(N) mod N²)^(r) mod N²], thereby improving calculationefficiency.

For example, if the numerical segments obtained after actually selectedrandom number r is divided are r₀, r₁, . . . , and r_((i/j)−1), in otherwords, r=r₀+r₁·2^(j)+ . . . +r_((i/j)−1)·2^(j[(i/j)−1]), based on avalue list formed by pre-calculated (h^(N) mod N²)⁰ to (h^(N) mod N²)²^(j) ⁻¹, [(h^(N) mod N²)² ^(j) ]⁰ to [(h^(N) mod N²)² ^(j) ]² ^(j) ⁻¹, .. . , and [(h^(N) mod N²)² ^(j[(i/j)−1]) ]⁰ to [(h^(N) mod N²)²^(j[(i/j)−1]) ]² ^(j) ⁻¹, values of (h^(N) mod N²)^(r) ⁰ , [(h^(N) modN²)² ^(j) ]^(r) ¹ , . . . , and [(h^(N) mod N²)² ^(j[(i/j)−1]) ]^(r)^((i/j)−1) (namely, values of (h^(N) mod N²)² ^(ju) raised to the powerof r_(u)) can be directly determined from the value list, and then thesevalues are multiplied to obtain (h^(N) mod N²)^(r) or to further process(h^(N) mod N²)^(r) into [(h^(N) mod N²)^(r) mod N²].

Finally, homomorphic ciphertext c can be further generated withreference to the calculated value of (1+N)^(m) and the value of [(h^(N)mod N²)^(r) mod N²].

Step 108: Provide homomorphic ciphertext c to the target user, wherehomomorphic ciphertext c can be decrypted by the target user by usingprivate key sk to obtain data m, a value of private key sk is α=a·k, anda is a predetermined non-zero value.

Correspondingly, FIG. 2 is a flowchart illustrating a homomorphic datadecryption method for implementing privacy protection, according to anexample implementation. As shown in FIG. 2, the method is applied to acomputing device, and can include the following steps.

Step 202: Obtain homomorphic ciphertext c=(1+N)^(m)·(h^(r) modN)^(N)=(1+N)^(m)·(h^(N) mod N²)^(r) mod N², where homomorphic ciphertextc is obtained after data m is processed by using public key pk={N, h}corresponding to a target user and random number r.

In the equation, h is a generator of a predetermined cyclic group with asize of k in random number space Z*_(N), h^(r) belongs to thepredetermined cyclic group, a length of k is i bits, a length of N is nbits, and i<<n. For a generation process of public key pk, selection ofrandom number r, and an encryption process of data m, references can bemade to the implementation shown in FIG. 1. Details are omitted here forsimplicity.

Step 204: Decrypt homomorphic ciphertext c based on private key sk ofthe target user, to obtain data

$m = {{\frac{{c^{k}{mod}\; N^{2}} - 1}{N} \cdot k^{- 1}}{mod}\; N}$

before encryption, where a value of private key sk is α=a·k, and a is apredetermined non-zero value.

When a value of homomorphic ciphertext c satisfies c=(1+N)^(m)·(h^(N)mod N²)^(r) mod N², decryption based on private key sk can be performedas follows: First, size k of the predetermined cyclic group iscalculated based on value α of private key sk; and then k-exponentiationis performed on both sides of the calculation equation of homomorphicciphertext c, to obtain c^(k)=(1+N)^(km)·(h^(N) mod N²)^(rk) modN²=(1+N)^(km)·[(h^(k))^(N) mod N²]^(r) mod N². As described above, h isthe generator of the predetermined cyclic group, and the size of thepredetermined cyclic group is k, and therefore h^(k)=h⁰=1. Therefore,the equation can be further converted into c^(k)=(1+N)^(km) modN²=1+km·N mod N². In this case,

$m = {{\frac{{c^{k}{mod}\; N^{2}} - 1}{N} \cdot k^{- 1}}{mod}\; N}$

can be calculated.

It can be seen that value α of private key sk is related to size k ofthe predetermined cyclic group. Therefore, when the target user performsk-exponentiation on both sides of the equation of homomorphic ciphertextc based on private key sk, random number part (h^(N) mod N²)^(r) can beeliminated, and only a conversion process between c and m is left, sothat data m can be successfully decrypted.

Step 206: Output decrypted data m to the target user.

The target user can perform the homomorphic decryption operation on theheld computing device, and output decrypted data m to the target user.Alternatively, the target user can transmit homomorphic ciphertext c toa certain non-local computing device such as a cloud device, and thecomputing device is trusted by the target user, can store or temporarilyobtain private key sk of the target user, to decrypt homomorphicciphertext c, and then output and return decrypted data m to the targetuser.

As described above, by selecting a public and private key pair thatsatisfies a certain condition, data m can be encrypted intocorresponding homomorphic ciphertext c according to the implementationdescribed in FIG. 1, and homomorphic ciphertext c can be decrypted intocorresponding data m according to the implementation described in FIG.2. The following describes, with reference to an implementation by usingan example, how to select a public and private key pair that satisfiesthe previous condition.

First, number N is determined. A value of N can be a product of twolarge prime numbers P and Q, so that it is difficult to obtain values ofP and Q. A length P and Q can be 1024 bits. In this case, a length ofN=P Q is 2048 bits, namely, the previous parameter n=2048. Certainly,another length can be used in another implementation. Implementationsare not limited in the present specification. When the length of N islarge enough, there is a very low probability that the values of P and Qare obtained. Therefore, when a public and private key pair is generatedbased on the values of P and Q, it can be ensured that it is difficultto obtain values of public and private keys, which features highsecurity. Length n of N can be first determined, then prime numbers Pand Q with a length of (n/2) are selected, and it is ensured that P=Q=3mod 4 and gcd(P−1, Q−1)=2 (in other words, the greatest common divisorof P−1 and Q−1 is 2) are satisfied. In this case, N=P Q is calculated.

Message space Z_(N) can be obtained based on determined number N, andmessage space Z_(N) includes elements {0, . . . , N−1}. Random numberspace Z*_(N) can be determined based on message space Z_(N), andelements included in random number space Z*_(N) are all elements thatare in message space Z_(N) and relatively prime to N. Because N=P·Q, itcan be determined that the size (namely, the number of elementsincluded) of random number space Z*_(N) is (P−1)(Q−1).

Random number space Z*_(N) includes the following subgroups: quadraticresidue group QR_(N) and group

−1

. Elements included in quadratic residue group QR_(N) are elements thatare in random number space Z*_(N) and raised to the power of 2, in otherwords, QR_(N)={y² mod N|y∈Z*_(N)}, and a size of quadratic residue groupQR_(N) is (P−1)(Q−1)/4. Group

−1

is a second-order cyclic group generated by element (−1 mod N), group

−1

includes elements {−1 mod N, 1 mod N}, in other words, a size of group

−1

is 2.

Further, quadratic residue group QR_(N) includes the followingsubgroups: group QR_(N) and group QR_(N) ^(β). Quadratic residue groupQR_(N) is an internal direct product of group QR_(N) and group QR_(N)^(β) (QR_(N) ^(α)⊗QR_(N) ^(β)=QR_(N)), in other words, |QR_(N)^(α)∥QR_(N) ^(β)|=|QR_(N)|, where |QR_(N) ^(α)| represents a size ofgroup QR_(N) ^(α), |QR_(N) ^(β)| represents a size of group QR_(N) ^(β),and |QR_(N)| represents the size of quadratic residue group QR_(N). Itis known that |QR_(N)|=(P−1)(Q−1)/4, and therefore values of |QR_(N)^(α)| and |QR_(N) ^(β)| can be set based on this, so that |QR_(N)^(α)∥QR_(N) ^(β)|=|QR_(N)| can be satisfied. Group QR_(N) ^(α)represents a set formed by all elements that are in group QR_(N) andraised to the power of α, and group QR_(N) ^(β) represents a set formedby all elements that are in group QR_(N) and raised to the power of B,in other words, QR_(N) ^(α)={y^(2α) mod N|y∈Z*_(N)}, and QR_(N)^(β)={y^(2β) mod N|y∈Z*_(N)}.

Therefore, an internal direct product of group QR_(N) ^(β) and group

−1

constitutes the predetermined cyclic group. For example, thepredetermined cyclic group can be represented as QR_(N) ^(β)⊗

−1

. By setting |QR_(N) ^(β)|=α, it can be determined that the size of thepredetermined cyclic group is k=2α with reference to the size of group

−1

being 2. Therefore, when private key sk=α=a·k is satisfied, a=α/k=½ canbe determined.

The value of α is used as private key sk, and therefore it needs toensure that the value of a cannot be obtained or is difficult to obtain,to ensure security of α. As described above, number N included in thepublic key is the product of prime numbers P and Q, and the values ofprime numbers P and Q are difficult to obtain. Therefore, a can becalculated based on the values of prime numbers P and Q. For example,intermediate parameters p and q can be used. Intermediate parameters pand q are prime numbers, p|P−1, and q|Q−1 (in other words, p isdivisible by P−1, and q is divisible by Q−1). In this case, α=pq can beset. In addition, β=(P−1)(Q−1)/(4pq) can be set, and gcd(α, β)=1 issatisfied. In this case, α·β=(P−1)(Q−1)/4=|QR_(N)| can be determined. Itcan be seen that |QR_(N) ^(α)|=13 with reference to |QR_(N) ^(α)∥QR_(N)^(β)|=|QR_(N)| and |QR_(N) ^(β)|=α.

As described above, generator h of selected predetermined cyclic groupQR_(N) ^(β) ⊗

−1

can be represented as h=−y^(2β) mod N, where y∈Z*_(N). The size ofpredetermined cyclic group QR_(N) ^(β)⊗

−1

is 2α, and therefore the elements included in predetermined cyclicQR_(N) ^(β)⊗

−1

group are {h⁰, h¹, h², . . . , h^(2α−1)}. In a subsequent encryptionprocess, random number r needs to be selected, so that h_(r) belongs topredetermined cyclic group QR_(N) ^(β)⊗

−1

Therefore, a value of random number r belongs to [0, 2α−1], in otherwords, a length of random number r is related to a length of α.

When data m is encrypted based on public key pk, a calculation equationused is c=(1+N)^(m)·(h^(N) mod N²)^(r) mod N², where random number r isused as an exponent of modular exponentiation. Therefore, the length ofrandom number r needs to be controlled, to reduce modular exponentiationcomplexity. For example, when the length of N is n=2048 bits, it can beset that the length of random number r is i=320 bits, and therefore thelength of α is also 320 bits. In addition, α=pq, and therefore thelength of each of intermediate parameters p and q can be 160 bits, toensure that the calculated length of a is 320 bits.

Based on the previously described content, in the technical solutions inthe present specification, when public and private keys are determined,random number space Z*_(N), the subgroups of random number space Z*_(N),namely, quadratic residue group QR_(N) and group

−1

, and the subgroups of quadratic residue group QR_(N), namely, groupQR_(N) ^(α) and group QR_(N) ^(β), are actually involved. In thesegroups, group QR_(N) ^(β) and group

−1

are selected to constitute predetermined cyclic group QR_(N) ^(β)⊗

−1

in the present specification, and the size (2α) of predetermined cyclicgroup QR_(N) ^(β)⊗

−1

is related to the length of random number r. In other words,predetermined cyclic group QR_(N) ^(β)⊗

−1

of an appropriate size is selected, so that random number r with anappropriate length can be selected in the encryption calculationprocess, to strike a balance between encryption efficiency and security(a longer length of random number r indicates lower encryptionefficiency and higher security; and on the contrary, a shorter length ofrandom number r indicates higher encryption efficiency and lowersecurity).

Actually, random number space Z*_(N) further includes other subgroups.For example, FIG. 3 is a schematic diagram illustrating random numberspace Z*_(N), according to an example implementation. As shown in FIG.3, in addition to the previous subgroups, random number space Z*_(N) caninclude other subgroups such as group Z*_(N)[+1] and group

w

. However, encryption efficiency can be low when a predetermined cyclicgroup is formed based on these subgroups. Group Z*_(N)[+1] N representsa set formed by all elements whose Jacobi symbols are +1 in randomnumber space Z*_(N), in other words,

${z_{N}^{*}\left\lbrack {+ 1} \right\rbrack} = {\left\{ {{y{y \in Z_{N}^{*}}},{\frac{y}{(N)} = {+ 1}}} \right\}.}$

Group

w

represents a second-order cyclic group generated by certain element wwhose Jacobi symbol is −1 and order is 2 in random number space Z*_(N),in other words,

w

={w mod N, 1 mod N}.

Group Z*_(N)[+1] is used as an example. A size of group Z*_(N)[+1] is(P−1)(Q−1)/2, in other words, |Z*_(N)[+1]=(P−1)(Q−1)/2. If groupZ*_(N)[+1] is used as the predetermined cyclic group or thepredetermined cyclic group is generated based on group Z*_(N)[+1], whencorresponding random number r is determined, the length of random numberr is related to size (P−1)(Q−1)/2 of group Z*_(N)[+1]. For example, whenthe length of each of P and Q is 1024 bits, the length of random numberr is 2048 bits, which is far greater than random number r that is with alength of 320 bits and selected based on QR_(N) ^(β)⊗

−1

. Therefore, encryption calculation complexity is improved, andencryption efficiency is lowered. Similarly, as described above, thesize of group QR_(N) is (P−1)(Q−1)/4. If group QR_(N) is used as thepredetermined cyclic group or the predetermined cyclic group isgenerated based on group QR_(N), it is determined that the length ofrandom number r is related to size (P−1)(Q−1)/4 of group QR_(N). Forexample, when the length of each of P and Q is 1024 bits, the length ofrandom number r is 2048 bits. Therefore, in the present specification,group QR_(N) is further divided to obtain groups QR_(N) ^(β) with a sizeof α, to constitute predetermined cyclic group QR_(N) ^(β)⊗

−1

based on group QR_(N) ^(β)

The homomorphic encryption/decryption solutions in the presentspecification can be applied to many application scenarios. Thefollowing provides description by using examples.

The homomorphic encryption/decryption solutions can be applied to ablockchain transaction, to implement a confidential transaction in ablockchain network. For example, the target user can create a blockchaintransaction between the target user and transaction objects Q_0 to Q_tbased on transfer amounts m₀ to m_(t) respectively corresponding totransaction objects Q_0 to Q_t. The blockchain transaction includeshomomorphic ciphertext c₀ to c_(t) respectively corresponding totransfer amounts m₀ to m_(t), where t≥0, and account balances of thetarget user and transaction objects Q_0 to Q_t are respectively recordedas corresponding homomorphic ciphertext d and d_0 to d_t in a blockchainledger. Then, the target user can submit the blockchain transaction tothe blockchain network. After the blockchain transaction is completed,for homomorphic ciphertext d and d_0, . . . , and d_t recorded in theblockchain ledger, d is decreased by (c₀+ . . . +c_(t)), d_0 isdecreased by c₀, . . . , and d_t is decreased by c_(t).

FIG. 4 is a schematic diagram illustrating implementing a confidentialtransaction in a blockchain network, according to an exampleimplementation. As shown in FIG. 4, assume that the target user is userUa, and transaction objects are users Ub, Uc, etc. User Ua correspondsto a unique public and private key pair (pk_0, sk_0), namely, public keypk_0 and private key sk_0. Similarly, user Ub corresponds to a uniquepublic and private key pair (pk_1, sk_1), user Uc corresponds to aunique public and private key pair (pk_2, sk_2), and so on.

An account balance corresponding to each user is recorded in theblockchain ledger in the form of homomorphic ciphertext corresponding tothe account balance. For example, an account balance of user Ua is m_a,m_a is actually encrypted by using the homomorphic encryption solutionsin the present specification to generate corresponding homomorphicciphertext c_a, and homomorphic ciphertext c_a is recorded in theblockchain ledger. Similarly, homomorphic ciphertext c_b correspondingto account balance m_b of user Ub, homomorphic ciphertext c_ccorresponding to account balance m_c of user Uc, etc. are recorded inthe blockchain ledger. Although data in the blockchain ledger can bepublicly queried, each user can decrypt only homomorphic ciphertextcorresponding to the user by using a key, and cannot decrypt homomorphicciphertext corresponding to another user. Therefore, each user can learnonly an account balance of the user, and cannot learn an account balanceof the another user.

Assume that user Ua initiates a blockchain transaction, and in theblockchain transaction, transfer amount 1 that needs to be transferredfrom user Ua to user Ub is m_1, transfer amount 2 that needs to betransferred from user Ua to user Uc is m_2, and so on. Assume that userUa selects an asset with value of m from an account, completes theblockchain transaction by using the asset, and can learn that theremaining change amount is m_0 after transferring the asset to users Ub,Uc, etc. In this case, it can be determined that the input of theblockchain transaction is the asset with value of m, and the outputs arem_0 transferred to user Ua, m_1 transferred to user Ub, m_2 transferredto the Uc, etc. In this case, users Ua, Ub, Uc, etc. are previoustransaction objects Q_0 to Q_t.

The asset with value of m belongs to user Ua, and the value of the assetis recorded in the blockchain ledger as corresponding homomorphicciphertext c(pk_0, m), which indicates that homomorphic ciphertext c isobtained after homomorphic encryption is performed on the asset withvalue of m by using public key pk_0 of user Ua. In addition, user Uaneeds to perform homomorphic encryption for each output of theblockchain transaction, and a public key used during encryptioncorresponds to an output target object. For example, change amount m_0needs to be output to user Ua, and therefore amount m_0 needs to beencrypted by using public key pk_0 of user Ua to generate homomorphicciphertext c_0(pk_0, m_0); transfer amount 1, namely, m_1, needs to beoutput to user Ub, and therefore amount m_1 needs to be encrypted byusing public key pk_1 of user Ub to generate homomorphic ciphertextc_1(pk_1, m_1); and transfer amount 2, namely, m_2, needs to be outputto user Uc, and therefore amount m_2 needs to be encrypted by usingpublic key pk_2 of user Uc to generate homomorphic ciphertext c_2(pk_2,m_2). Certainly, other content, proof information, etc. needed by thetransaction can be further included in the blockchain transaction.Implementations are omitted here for simplicity.

Then, after user Ua submits the blockchain transaction to the blockchainnetwork, each blockchain node in the blockchain network can execute theblockchain transaction in the blockchain network after completingconsensus processing on the blockchain transaction. Correspondingly, theaccount balance of each user recorded in the blockchain ledger changesaccordingly. User Ua takes out the asset with value of m and receivesthe change amount in the blockchain transaction, and therefore asset c_ain the blockchain ledger is updated to [c_a−c(pk_0, m)+c_0(pk_0, m_0)](if an addition/subtraction operation of plaintext data corresponds to amultiplication/division operation of homomorphic ciphertext, c_a isupdated to [c_a÷c(pk_0, m)×c_0(pk_0, m_0)]). An additive homomorphismfeature is satisfied because c_a, c(pk_0, m), and c_0(pk_0, m_0) are allgenerated by performing encryption by using public key pk_0 of user Ua.Therefore, a value obtained after user Ua decrypts [c_a−c(pk_0,m)+c_0(pk_0, m_0)] (or [c_a÷c(pk_0, m)×c_0(pk_0, m_0)]) by usingcorresponding private key sk_0 is equal to (m_a−m+m_0). Similarly, userUb receives transfer amount 1 in the blockchain transaction, andtherefore asset c_b in the blockchain ledger is updated to[c_b+c_1(pk_1, m_1) (if an addition/subtraction operation of plaintextdata corresponds to a multiplication/division operation of homomorphicciphertext, c_b is updated to [c_b×c_1(pk_1, m_1)]), and decryption canbe performed by using private key sk_1, and an obtained value is equalto (m_b+m_1). User Uc receives transfer amount 2 in the blockchaintransaction, and therefore asset c_c in the blockchain ledger is updatedto [c_c+c_2(pk_2, m_2)] (if an addition/subtraction operation ofplaintext data corresponds to a multiplication/division operation ofhomomorphic ciphertext, c_c is updated to [c_c×c_2(pk_2, m_2)]), anddecryption can be performed by using private key sk_2, and an obtainedvalue is equal to (m_c+m_2).

It can be seen that based on the homomorphic encryption/decryptionsolutions in the present specification, it can be ensured that anaccount balance of a user, a transaction amount of a blockchaintransaction, etc. are kept private, and each amount can be correctlycalculated and maintained based on the homomorphic feature, therebyimplementing a confidential transaction in a blockchain networkscenario. In addition, especially when a blockchain transaction involvesa plurality of transaction objects or a large quantity of blockchaintransactions are involved, based on the homomorphicencryption/decryption solutions in the present specification, anexecution speed of each encryption/decryption operation can be increasedwhile security is ensured, which helps improve transaction efficiency ina blockchain network.

The previous homomorphic encryption/decryption solutions can be appliedto a multi-party computation scenario, to implement secure interactionin the multi-party computation scenario. For example, the target usercan send homomorphic ciphertext c₀ to c_(s) respectively correspondingto data m₀ to m_(s) to a specified user, so that the specified user canperform predetermined operation f( ) that satisfies additivehomomorphism on homomorphic ciphertext c₀ to c_(s). In addition,operation result f(c₀-c_(s)) returned by the specified user can bedecrypted by using private key sk, and a value obtained after thedecryption is f(m₀-m_(s)).

FIG. 5 is a schematic interaction diagram illustrating a multi-partycomputation scenario, according to an example implementation. As shownin FIG. 5, user Ua and user Ub are still used as examples. User Uacorresponds to public and private key pair (pk_0, sk_0), and user Ubcorresponds to public and private key pair (pk_1, sk_1). An interactionprocess between the two users can include the following steps.

Step 502: User Ua encrypts data m₀ to m_(s) into homomorphic ciphertextc₀ to c_(s).

User Ua performs homomorphic encryption processing on data m₀ to m_(s)based on the implementation shown in FIG. 1 by using public key pk_0corresponding to user Ua, to generate corresponding homomorphicciphertext c₀ to c_(s). A specific calculation equation and anencryption process are omitted here for simplicity.

Step 504: User Ua sends homomorphic ciphertext c₀ to c_(s) to user Ub.

User Ua sends only homomorphic ciphertext c₀ to c_(s) to user Ub, anddoes not need to send raw plaintext data m₀ to m_(s), and user Ub doesnot hold private key sk_0 corresponding to public key pk_0 used forencryption, and therefore data m₀ to m_(s) is not exposed to user Ub.

Step 506: User Ub processes homomorphic ciphertext c₀ to c_(s) by usingmodel parameters d₀ to d_(s).

Step 508: User Ub returns ciphertext processing result c_f to user Ua.

Assume that user Ub obtains a group of model parameters d₀ to d_(s) of adata processing model through training by using a method such as bigdata analysis or artificial intelligence, but user Ub does not want toexpose the group of model parameters d₀ to d_(s) to another user.Therefore, after processing homomorphic ciphertext c₀ to c_(s) by usingthe group of model parameters d₀ to d_(s), user Ub returns only obtainedciphertext processing result c_f to user Ua. As such, homomorphicciphertext c₀ to c_(s) can be processed by using model parameters d₀ tod_(s), and exposure of information such as specific values of modelparameters d₀ to d_(s) can be avoided.

When homomorphic ciphertext c₀ to c_(s) is processed by using the groupof model parameters d₀ to d_(s), the processing process should satisfythe additive homomorphism feature. To be specific, amultiplication/division operation can be performed between each piece ofhomomorphic ciphertext and a corresponding parameter, and anaddition/subtraction operation instead of a multiplication/divisionoperation should be performed between homomorphic ciphertext. Forexample, a processing method of the data processing model can bec₀×d₀+c₁×d₁+ . . . +c_(s)×d_(s). Certainly, if an addition/subtractionoperation of plaintext data corresponds to a multiplication/divisionoperation of homomorphic ciphertext, the processing method of the dataprocessing model can be c₀ ^(d0)×c₁ ^(d1)× . . . ×c_(s) ^(ds).

Step 510: User Ua decrypts ciphertext processing result c_f to obtainplaintext processing result m_f.

Based on the additive homomorphism feature, after processing homomorphicciphertext c₀ to c_(s) by using model parameters d₀ to d_(s), user Ubdecrypts ciphertext processing result c_f by using private key sk_0, andobtained plaintext processing result m_f is equivalent to a resultobtained after data m₀ to m_(s) is processed by using model parametersd₀ to d_(s).

Therefore, based on the homomorphic encryption/decryption solutions inthe present specification, in the multi-party computation scenarioinvolving user Ua and user Ub, it can be ensured that data m₀ to m_(s)held by user Ua is not exposed to user Ub and model parameters d₀ tod_(s) held by user Ub are not exposed to user Ua, and user Ua canfinally obtain result m_f obtained after data m₀ to m_(s) is processedby using model parameters d₀ to d_(s). In addition, especially in a casein which homomorphic encryption is performed on a large amount of data,based on the homomorphic encryption/decryption solutions in the presentspecification, an encryption/decryption speed can be significantlyincreased, thereby improving multi-party computation efficiency.

FIG. 6 is a schematic structural diagram of a device, according to anexample implementation. Referring to FIG. 6, in terms of hardware, thedevice includes a processor 602, an internal bus 604, a networkinterface 606, a memory 608, and a nonvolatile memory 610, and certainlycan further include hardware needed by other services. The processor 602reads a corresponding computer program from the nonvolatile memory 610into the memory 608 and then runs the corresponding computer program, tologically form a homomorphic data encryption apparatus for implementingprivacy protection. Certainly, in addition to a software implementation,one or more implementations of the present specification do not excludeanother implementation, for example, a logic device or a combination ofhardware and software. That is, an execution body of the followingprocessing procedure is not limited to each logical unit, and can behardware or a logic device.

Referring to FIG. 7, in the software implementation, the homomorphicdata encryption apparatus for implementing privacy protection caninclude the following: a public key acquisition unit 71, configured toobtain public key pk={N, h} corresponding to a target user, where h is agenerator of a predetermined cyclic group with a size of k in randomnumber space Z*_(N), a length of k is i bits, a length of N is n bits,and i<<n; a random number selection unit 72, configured to select randomnumber r, so that h^(r) belongs to the predetermined cyclic group; adata processing unit 73, configured to process to-be-encrypted data mcorresponding to the target user by using public key pk and randomnumber r, to generate homomorphic ciphertext c=(1+N)^(m)·(h^(r) modN)^(N)=(1+N)^(m)·(h^(N) mod N²)^(r) mod N²; and a ciphertext providingunit 74, configured to provide homomorphic ciphertext c to the targetuser, where homomorphic ciphertext c can be decrypted by the target userby using private key sk to obtain data m, a value of private key sk isα=a·k, and a is a predetermined non-zero value.

Optionally, quadratic residue group QR_(N) of random number space Z*_(N)is an internal direct product of group QR_(N) ^(α) and group QR_(N)^(β), QR_(N) ^(β)=α, the predetermined cyclic group is an internaldirect product of group QR_(N) ^(β) and group

−1

, group

−1

is a second-order cyclic group generated by element (−1 mod N) in randomnumber space Z*_(N), and a=½.

Optionally, when N=P·Q, P and Q are prime numbers with a length of n/2bits, P≡Q≡3 mod 4, and gcd(P−1, Q−1)=2, it is satisfied that α=pq,β=(P−1)(Q−1)/(4pq), gcd(α, β)=1, p|(P−1), q|(Q−1), and p and q are primenumbers with a length of i/2 bits.

Optionally, h=−y^(2β) mod N, where y belongs to random number spaceZ*_(N).

Optionally, the data processing unit 73 is configured to: divide randomnumber r on a basis of j bits, to obtain i/j numerical segments r_(u),where u∈[0, (i/j)−1]; query a pre-generated value list, where the valuelist includes a value of (h^(N) mod N²) raised to the power of(2^(ju)·ν), and v∈[0, 2^(j)−1]; and generate [(h^(N) mod N²)^(r) mod N²]through combination based on an identified value of (h^(N) mod N²)raised to the power of r_(u), to generate homomorphic ciphertext c.

Optionally, n=2048, and 224<i<n.

Optionally, the apparatus further includes the following: a ciphertextsending unit 75, configured to send homomorphic ciphertext c₀ to c_(s)respectively corresponding to data m₀ to m_(s) to a specified user, sothat the specified user performs predetermined operation f( ) thatsatisfies additive homomorphism on homomorphic ciphertext c₀ to c_(s),where operation result f(c₀-c_(s)) returned by the specified user can bedecrypted by using private key sk, and a value obtained after thedecryption is f(m₀-m_(s)).

Optionally, the apparatus further includes the following: a transactioncreation unit 76, configured to create a blockchain transaction betweenthe target user and transaction objects Q_0 to Q_t based on transferamounts m₀ to m_(t) respectively corresponding to transaction objectsQ_0 to Q_t, where the blockchain transaction includes homomorphicciphertext c₀ to c_(t) respectively corresponding to transfer amounts m₀to m_(t), t>0, and account balances of the target user and transactionobjects Q_0 to Q_t are respectively recorded as correspondinghomomorphic ciphertext d and d_0 to d_t in a blockchain ledger; and atransaction submission unit 77, configured to submit the blockchaintransaction to a blockchain network, where after the blockchaintransaction is completed, for homomorphic ciphertext d, d_0, . . . , andd_t recorded in the blockchain ledger, there is an operation between dand (c₀+ . . . +c_(t)), an operation between d_0 and c₀, . . . , and anoperation between d_t and c_(t), so that the account balance of thetarget user is decreased by (m₀+ . . . +m_(t)), and the account balancesof transaction objects Q_0 to Q_t are respectively decreased by c₀ toc_(t).

FIG. 8 is a schematic structural diagram of a device, according to anexample implementation. Referring to FIG. 8, in terms of hardware, thedevice includes a processor 802, an internal bus 804, a networkinterface 806, a memory 808, and a nonvolatile memory 810, and certainlycan further include hardware needed by other services. The processor 802reads a corresponding computer program from the nonvolatile memory 810into the memory 808 and then runs the corresponding computer program, tologically form a homomorphic data decryption apparatus for implementingprivacy protection. Certainly, in addition to a software implementation,one or more implementations of the present specification do not excludeanother implementation, for example, a logic device or a combination ofhardware and software. That is, an execution body of the followingprocessing procedure is not limited to each logical unit, and can behardware or a logic device.

Referring to FIG. 9, in the software implementation, the homomorphicdata decryption apparatus for implementing privacy protection caninclude the following: a ciphertext acquisition unit 91, configured toobtain homomorphic ciphertext c=(1+N)^(m)·(h^(r) modN)^(N)=(1+N)^(m)·(h^(N) mod N²)^(r) mod N², where homomorphic ciphertextc is obtained after data m is processed by using public key pk={N, h}corresponding to a target user and random number r, h is a generator ofa predetermined cyclic group with a size of k in random number spaceZ*_(N), h^(r) belongs to the predetermined cyclic group, a length of kis i bits, a length of N is n bits, and i<<n; a ciphertext decryptionunit 92, configured to decrypt homomorphic ciphertext c based on privatekey sk of the target user, to obtain data

$m = {{\frac{{c^{k}{mod}\; N^{2}} - 1}{N} \cdot k^{- 1}}{mod}\; N}$

before encryption, where a value of private key sk is α=a·k, and a is apredetermined non-zero value; and a data output unit 93, configured tooutput decrypted data m to the target user.

Optionally, quadratic residue group QR_(N) of random number space Z*_(N)is an internal direct product of group QR_(N) ^(α) and group QR_(N)^(β), QR_(N) ^(β)=α, the predetermined cyclic group is an internaldirect product of group QR_(N) ^(β) and group

−1

, group

−1

is a second-order cyclic group generated by element (−1 mod N) in randomnumber space Z*_(N), and a=½.

Optionally, when N=P·Q, P and Q are prime numbers with a length of n/2bits, P≡Q≡3 mod 4, and gcd(P−1, Q−1)=2, it is satisfied that α=pq,β=(P−1)(Q−1)/(4pq), gcd(α, β)=1, p|(P−1), q|(Q−1), and p and q are primenumbers with a length of i/2 bits.

Optionally, h=−y^(2β) mod N, where y belongs to random number spaceZ*_(N).

Optionally, n=2048, and 224≤i<n.

Optionally, the apparatus further includes the following: a ciphertextsending unit 94, configured to send homomorphic ciphertext c₀ to c_(s)respectively corresponding to data m₀ to m_(s) to a specified user, sothat the specified user performs predetermined operation f( ) thatsatisfies additive homomorphism on homomorphic ciphertext c₀ to c_(s);and the ciphertext decryption unit 92 is configured to receive anddecrypt operation result f(c₀-c_(s)) returned by the specified user,where a value obtained after the decryption is f(m₀-m_(s)).

The system, apparatus, module, or unit illustrated in the previousimplementations can be implemented by using a computer chip or anentity, or can be implemented by using a product having a certainfunction. A typical implementation device is a computer, and thecomputer can be a personal computer, a laptop computer, a cellularphone, a camera phone, a smartphone, a personal digital assistant, amedia player, a navigation device, an email receiving and sendingdevice, a game console, a tablet computer, a wearable device, or anycombination of these devices.

In a typical configuration, the computer includes one or more processors(CPU), input/output interfaces, network interfaces, and memories.

The memory can include a non-persistent memory, a random access memory(RAM), a nonvolatile memory, and/or another form that are in a computerreadable medium, for example, a read-only memory (ROM) or a flash memory(flash RAM). The memory is an example of the computer readable medium.

The computer readable medium includes persistent, non-persistent,movable, and unmovable media that can store information by using anymethod or technology. The information can be a computer readableinstruction, a data structure, a program module, or other data. Examplesof a computer storage medium include but are not limited to a parameterrandom access memory (PRAM), a static random access memory (SRAM), adynamic random access memory (DRAM), another type of random accessmemory (RAM), a read-only memory (ROM), an electrically erasableprogrammable read-only memory (EEPROM), a flash memory or another memorytechnology, a compact disc read-only memory (CD-ROM), a digitalversatile disc (DVD) or other optical storage, a magnetic tape, magneticdisk storage, a quantum memory, a grapheme-based storage medium, anothermagnetic storage device, or any other non-transmission medium. Thecomputer storage medium can be used to store information that can beaccessed by a computing device Based on the definition in the presentspecification, the computer readable medium does not include transitorycomputer readable media (transitory media) such as a modulated datasignal and carrier.

It is worthwhile to further note that the term “include”, “comprise”, ortheir any other variants is intended to cover a non-exclusive inclusion,so a process, a method, a product, or a device that includes a list ofelements not only includes those elements but also includes otherelements which are not expressly listed, or further includes elementsinherent to such process, method, product, or device. An elementdescribed by “includes a . . . ” further includes, without moreconstraints, another identical element in the process, method, product,or device that includes the element.

Specific implementations of the present specification are describedabove. Other implementations fall within the scope of the appendedclaims. In some situations, the actions or steps described in the claimscan be performed in an order different from the order in theimplementations and the desired results can still be achieved. Inaddition, the process depicted in the accompanying drawings does notnecessarily require a particular execution order to achieve the desiredresults. In some implementations, multi-tasking and parallel processingcan be advantageous.

The term used in the one or more implementations of the presentspecification is merely intended to describe a particular implementationand is not intended to limit the one or more implementations of thepresent specification. The terms “a” and “the” of singular forms used inthe one or more implementations of the present specification and theappended claims are also intended to include plural forms, unlessotherwise specified in the context clearly. It should be furtherunderstood that the term “and/or” used in the present specificationindicates and includes any or all possible combinations of one or moreassociated listed items.

It should be understood that although terms such as “first”, “second”,and “third” can be used in the one or more implementations of thepresent specification to describe various types of information, theinformation is not limited to these terms. These terms are only used todistinguish between information of the same type. For example, withoutdeparting from the scope of the one or more implementations of thepresent specification, first information can also be referred to assecond information, and similarly, the second information can bereferred to as the first information. Depending on the context, forexample, the word “if” used here can be explained as “while”, “when”, or“in response to determining”.

The previous descriptions are only example implementations of the one ormore implementations of the present specification, and are not intendedto limit the one or more implementations of the present specification.Any modification, equivalent replacement, improvement, etc. made withoutdeparting from the spirit and principle of the one or moreimplementations of the present specification shall fall within theprotection scope of the one or more implementations of the presentspecification.

What is claimed is:
 1. A computer-implemented method for implementingprivacy protection, comprising: obtaining a public key pk={N, h}corresponding to a target user, wherein h is a generator of apredetermined cyclic group with a size of k in a random number spaceZ*_(N), a length of k is i bits, a length of N is n bits, and i<<n;selecting random number r that makes h_(r) belong to the predeterminedcyclic group; processing data m corresponding to the target user usingthe public key pk and the random number r in generating a homomorphicciphertext c=(1+N)^(m)·(h^(r) mod N)^(N)=(1+N)^(m)·(h^(N) mod N²)^(r)mod N²; and providing the homomorphic ciphertext c to the target user,wherein the homomorphic ciphertext c is decipherable by the target userusing a private key sk to obtain the data m, wherein a value of theprivate key sk is α=a·k, and a is a predetermined non-zero value.
 2. Thecomputer-implemented method according to claim 1, wherein a quadraticresidue group QR_(N) of the random number space Z*_(N) comprises aninternal direct product of a group QR_(N) ^(α) and a group QR_(N) ^(β),QR_(N) ^(β)=α, the predetermined cyclic group comprises an internaldirect product of a group QR_(N) ^(β) and a group

−1

, wherein the group

−1

is a second-order cyclic group generated by element (−1 mod N) in therandom number space Z*_(N), and a=½.
 3. The computer-implemented methodaccording to claim 2, wherein if N=P Q, P and Q are prime numbers with alength of n/2 bits, P≡Q≡3 mod 4, and gcd(P−1, Q−1)=2, it is satisfiedthat α=pq, β=(P−1)(Q−1)/(4pq), gcd(α, β)=1, p|(P−1), q|(Q−1), and p andq are prime numbers with a length of i/2 bits.
 4. Thecomputer-implemented method according to claim 2, wherein h=−y^(2β) modN, and y belongs to the random number space Z*_(N).
 5. Thecomputer-implemented method according to claim 1, wherein the processingdata m corresponding to the target user using the public key pk and therandom number r in generating homomorphic ciphertext c comprises:dividing the random number r on a basis of j bits, to obtain i/jnumerical segments r_(u), wherein u∈[0, (i/j)−1]; querying apre-generated value list, wherein the pre-generated value list comprisesa value of (h^(N) mod N²) raised to a power of (2^(ju)·ν), and v∈[0,2^(j)−1]; and generating [(h^(N) mod N²)^(r) mod N²] through acombination based on an identified value of (h^(N) mod N²) raised to apower of r_(u), to generate the homomorphic ciphertext c.
 6. Thecomputer-implemented method according to claim 1, wherein n=2048, and224≤i<n.
 7. The computer-implemented method according to claim 1,further comprising: sending homomorphic ciphertext c₀ to c_(s)respectively corresponding to data m₀ to m_(s) to a specified user tocause the specified user to perform predetermined operation f( ) thatsatisfies additive homomorphism on homomorphic ciphertext c₀ to c_(s),wherein an operation result f(c₀-c_(s)) returned by the specified useris decipherable using the private key sk, and a value obtained afterdecryption is f(m₀-m_(s)).
 8. The computer-implemented method accordingto claim 1, further comprising: creating a blockchain transactionbetween the target user and transaction objects Q_0 to Q_t based ontransfer amounts m₀ to m_(t) respectively corresponding to transactionobjects Q_0 to Q_t, wherein the blockchain transaction compriseshomomorphic ciphertext c₀ to c_(t) respectively corresponding totransfer amounts m₀ to m_(t), t>0, and account balances of the targetuser and transaction objects Q_0 to Q_t are respectively recorded ascorresponding homomorphic ciphertext d and d_0 to d_t in a blockchainledger; and submitting the blockchain transaction to a blockchainnetwork, wherein after the blockchain transaction is completed, forhomomorphic ciphertext d, d_0, . . . , and d_t recorded in theblockchain ledger, there is an operation between d and (c₀+ . . .+c_(t)), an operation between d_0 and c₀, . . . , and an operationbetween d_t and c_(t), wherein the account balances of the target userare decreased by (m₀+ . . . +m_(t)), and the account balances oftransaction objects Q_0 to Q_t are respectively decreased by c₀ toc_(t).
 9. A non-transitory, computer-readable medium storing one or moreinstructions executable by a computer system to perform operations forimplementing privacy protection, comprising: obtaining a public keypk={N, h} corresponding to a target user, wherein h is a generator of apredetermined cyclic group with a size of k in a random number spaceZ*_(N), a length of k is i bits, a length of N is n bits, and i<<n;selecting random number r that makes h^(r) belong to the predeterminedcyclic group; processing data m corresponding to the target user usingthe public key pk and the random number r in generating a homomorphicciphertext c=(1+n)^(m)·(h^(r) mod n)^(N)=(1+N)^(m)·(h^(N) mod N²)^(r)mod N²; and providing the homomorphic ciphertext c to the target user,wherein the homomorphic ciphertext c is decipherable by the target userusing a private key sk to obtain the data m, wherein a value of theprivate key sk is α=a·k, and a is a predetermined non-zero value. 10.The non-transitory, computer-readable medium according to claim 9,wherein a quadratic residue group QR_(N) of the random number spaceZ*_(N) comprises an internal direct product of a group QR_(N) ^(α) and agroup QR_(N) ^(β), QR_(N) ^(β)=α, the predetermined cyclic groupcomprises an internal direct product of a group QR_(N) ^(β) and a group

−1

, wherein the group

−1

is a second-order cyclic group generated by element (−1 mod N) in therandom number space Z*_(N), and a=½.
 11. The non-transitory,computer-readable medium according to claim 10, wherein if N=P·Q, P andQ are prime numbers with a length of n/2 bits, P≡Q≡3 mod 4, and gcd(P−1,Q−1)=2, it is satisfied that α=pq, β=(P−1)(Q−1)/(4pq), gcd(α, β)=1,p|(P−1), q|(Q−1), and p and q are prime numbers with a length of i/2bits.
 12. The non-transitory, computer-readable medium according toclaim 10, wherein h=−y^(2β) mod N, and y belongs to the random numberspace Z*_(N).
 13. The non-transitory, computer-readable medium accordingto claim 9, wherein the processing data m corresponding to the targetuser using the public key pk and the random number r in generatinghomomorphic ciphertext c comprises: dividing the random number r on abasis of j bits, to obtain i/j numerical segments r_(u), wherein u∈[0,(i/j)−1]; querying a pre-generated value list, wherein the pre-generatedvalue list comprises a value of (h^(N) mod N²) raised to a power of(2^(ju)·ν), and v∈[0, 2^(j)−1]; and generating [(h^(N) mod N²)^(r) modN²] through a combination based on an identified value of (h^(N) mod N²)raised to a power of r_(u), to generate the homomorphic ciphertext c.14. The non-transitory, computer-readable medium according to claim 9,wherein n=2048, and 224≤i<n.
 15. The non-transitory, computer-readablemedium according to claim 9, wherein the operations further comprise:sending homomorphic ciphertext c₀ to c_(s) respectively corresponding todata m₀ to m_(s) to a specified user to cause the specified user toperform predetermined operation f( ) that satisfies additivehomomorphism on homomorphic ciphertext c₀ to c_(s), wherein an operationresult f(c₀-c_(s)) returned by the specified user is decipherable usingthe private key sk, and a value obtained after decryption isf(m₀-m_(s)).
 16. The non-transitory, computer-readable medium accordingto claim 9, wherein the operations further comprise: creating ablockchain transaction between the target user and transaction objectsQ_0 to Q_t based on transfer amounts m₀ to m_(t) respectivelycorresponding to transaction objects Q_0 to Q_t, wherein the blockchaintransaction comprises homomorphic ciphertext c₀ to c_(t) respectivelycorresponding to transfer amounts m₀ to m_(t), t>0, and account balancesof the target user and transaction objects Q_0 to Q_t are respectivelyrecorded as corresponding homomorphic ciphertext d and d_0 to d_t in ablockchain ledger; and submitting the blockchain transaction to ablockchain network, wherein after the blockchain transaction iscompleted, for homomorphic ciphertext d, d_0, . . . , and d_t recordedin the blockchain ledger, there is an operation between d and (c₀+ . . .+c_(t)), an operation between d_0 and c₀, . . . , and an operationbetween d_t and c_(t), wherein the account balances of the target userare decreased by (m₀+ . . . +m_(t)), and the account balances oftransaction objects Q_0 to Q_t are respectively decreased by c₀ toc_(t).
 17. A computer-implemented system, comprising: one or morecomputers; and one or more computer memory devices interoperably coupledwith the one or more computers and having tangible, non-transitory,machine-readable media storing one or more instructions that, whenexecuted by the one or more computers, perform one or more operations,comprising: obtaining a public key pk={N, h} corresponding to a targetuser, wherein h is a generator of a predetermined cyclic group with asize of k in a random number space Z*_(N), a length of k is i bits, alength of N is n bits, and i<<n; selecting random number r that makesh^(r) belong to the predetermined cyclic group; processing data mcorresponding to the target user using the public key pk and the randomnumber r in generating a homomorphic ciphertext c=(1+N)^(m)·(h^(r) modN)^(N)=(1+N)^(m)·(h^(N) mod N²)^(r) mod N²; and providing thehomomorphic ciphertext c to the target user, wherein the homomorphicciphertext c is decipherable by the target user using a private key skto obtain the data m, wherein a value of the private key sk is α=a·k,and a is a predetermined non-zero value.
 18. The computer-implementedsystem according to claim 17, wherein a quadratic residue group QR_(N)of the random number space Z*_(N) comprises an internal direct productof a group QR_(N) ^(α) and a group QR_(N) ^(β), QR_(N) ^(β)=α, thepredetermined cyclic group comprises an internal direct product of agroup QR_(N) ^(β) and a group

−1

, wherein the group

−1

is a second-order cyclic group generated by element (−1 mod N) in therandom number space Z*_(N), and a=½.
 19. The computer-implemented systemaccording to claim 17, wherein the operations further comprise: sendinghomomorphic ciphertext c₀ to c_(s) respectively corresponding to data m₀to m_(s) to a specified user to cause the specified user to performpredetermined operation f( ) that satisfies additive homomorphism onhomomorphic ciphertext c₀ to c_(s), wherein an operation resultf(c₀-c_(s)) returned by the specified user is decipherable using theprivate key sk, and a value obtained after decryption is f(m₀-m_(s)).20. The computer-implemented system according to claim 17, wherein theoperations further comprise: creating a blockchain transaction betweenthe target user and transaction objects Q_0 to Q_t based on transferamounts m₀ to m_(t) respectively corresponding to transaction objectsQ_0 to Q_t, wherein the blockchain transaction comprises homomorphicciphertext c₀ to c_(t) respectively corresponding to transfer amounts m₀to m_(t), t>0, and account balances of the target user and transactionobjects Q_0 to Q_t are respectively recorded as correspondinghomomorphic ciphertext d and d_0 to d_t in a blockchain ledger; andsubmitting the blockchain transaction to a blockchain network, whereinafter the blockchain transaction is completed, for homomorphicciphertext d, d_0, . . . , and d_t recorded in the blockchain ledger,there is an operation between d and (c₀+ . . . +c_(t)), an operationbetween d_0 and c₀, . . . , and an operation between d_t and c_(t),wherein the account balances of the target user are decreased by (m₀+ .. . +m_(t)), and the account balances of transaction objects Q_0 to Q_tare respectively decreased by c₀ to c_(t).